Im in the process of putting together a new Azure design for a client. As always in Azure, the network components form the core of the design. There was a couple of key requirements that needed to be addressed that the existing environment had outgrown: lack of any layer 7 edge heightened security controls and a lack of a DMZ.

I was going through some designs that I’ve previously done and was checking the Microsoft literature on what some fresh design patterns might look like, in case anything’s changed in recent times. There is still only a single reference ¹ on the Microsoft Azure documentation and it still references ASM and not ARM.

For me then, it seems that the existing pattern I’ve used is still valid. Therefore, I thought I’d share what that architecture would look like via this quick blog post.

DMZ with a firewall appliance design

Here’s an overview of some key points on the design:

• Firewall appliances will have multiple interfaces, but, typically will have 2 that we are mostly concerned about: an internal interface and an external interface
• Network interfaces in ARM are now independent objects from compute resources
  • As such, an interface needs to be associated with a subnet
  • Both the internal and external interfaces could in theory be associated with the same subnet, but, thats a design for another blog post some day
• My DMZ design features two subnets in two zones
  • Zone 1 = “Untrusted”
  • Zone 2 = “Semi-trusted”
  • Zone 3 = “Trusted” - this is for reference purposes only so you get the overall picture
• Simple subnet design
  • Subnet 1 = “External DMZ”
  • Subnet 2 = “Internal DMZ”
  • Subnet 3 = Trusted
• Network Security Groups (NSGs) are also used to encapsulate the DMZ subnets and to isolate traffic from the VNET
• Through this topology there are effectively three layers of firewall between the untrusted zone and the trusted zone
  • External DMZ NSG, firewall appliance and Internal DMZ NSG
• With two DMZ subnets (external DMZ and internal DMZ), there are two scenarios for deploying DMZ workloads
  • External DMZ = workloads that do not require heightened security controls by way of the firewall
    • Workload example: proxy server, jump host, additional firewall appliance management or monitoring interfaces
    • Alternatively, this subnet does not need to be used for anything other than the firewall edge interface
  • Internal DMZ = workloads that required heightened security controls and also (by way of best practice) shouldn’t be deployed in the trusted zone
    • Workload example: front end web server, Windows WAP server, non domain joined workloads
• Using the firewall as an edge device requires route tables to force all traffic leaving a subnet to be directed to the firewall internal interface
  • This applies to the internal DMZ subnet and the trusted subnet
  • The External DMZ subnet does not have a route table configured so that the firewall is able to route out to Azure internet and the greater internet
• Through VNET peering, other VNETs and subnets could also route out to Azure internet (and the greater WWW) via this firewall appliance - again, leverage route tables